Method for managing data integrity faults in a re-writeable memory

ABSTRACT

A method of managing integrity defects concerning data written in a rewritable memory of an electronic component, said electronic component being suitable for performing operations that are capable of modifying at least some of said data and of interchanging information relating to said operations either off-line, directly with a terminal, or else on-line, with an issuer via said terminal. According to the invention, said method consists in: defining firstly “main” data in which an integrity defect is representative of faulty operation of the rewritable memory, and secondly “secondary” data in which an integrity defect is representative either of faulty operation of the rewritable memory, or else of an interruption in the power supply to the electronic component; on each operation, checking the integrity of at least some data; if a check on the integrity of at least some of the main data reveals an integrity defect, preventing any further operation; and if an integrity check on secondary data reveals an integrity defect, allocating at least one default value to at least one item of secondary data, thereby requiring an interchange to be performed on-line during the following operation. The invention is applicable to making secure transactions performed by means of electronic memory cards.

FIELD OF THE INVENTION

The present invention relates to a method of managing integrity defectsof data written into a rewritable memory of an electronic component.

A particularly advantageous application of the invention lies in thefield of providing security for electronic transactions performedbetween an electronic component on a card, referred to as “an electronicmemory”, and a terminal connected to an issuer managed by an operator: abank card undertaking or some other operator.

Under such circumstances, the electronic component of the card performsoperations, e.g. erasing and/or writing, capable of altering the datawritten in the rewritable memory, and it exchanges informationconcerning the operations it has performed, either directly with theterminal in an off-line mode of operation, or with the issuer via theterminal in an on-line mode of operation. Which of those two modes ofoperation is selected depends on pre-established criteria, for exampleif the amount involved in the transaction is less than a certainthreshold, then communication takes place off-line, whereas above thethreshold the transaction must be performed on-line, with authorizationfrom the issuer being necessary under such circumstances.

BACKGROUND OF THE INVENTION

As a general rule, the electronic memory cards used for performingelectronic transactions, e.g. of the credit/debit type, have EEPROM orflash EPROM memories giving the two advantages of being non-volatile andof being electrically erasable, and thus of being rewritable. Howeverthey can be reprogrammed a limited number of times only and they take along time to be programmed.

In certain applications, it can happen that these memories are corruptedfor one or other of the following reasons:

too large a number of rewrite operations, wearing out certain memorycells and giving rise to faulty operation of the electronic memory;

programming performed for a very short time only, giving rise toinsufficient charge in the memory cells; and/or

accidental interruption of the electrical power supply duringprogramming, giving rise to the same effect, or indeed to earlier valuesbeing erased without new values being programmed.

This third risk is particularly important in applications such aselectronic memory cards where said memory is on board an object whosepower supply is external and from which it can be separated at alltimes.

Nevertheless, it can be seen that these causes of corruption giving riseto integrity defects in the data written in the rewritable memory arenot equivalent. A memory that is misfunctioning because of cell wear isfinal and irreversible, whereas writing errors due particularly to thecard being taken out of the terminal too soon or to the electroniccomponent losing its power supply voltage are isolated accidents that donot involve the general operation of the system.

SUMMARY OF THE INVENTION

Thus the technical problem to be solved by the present invention is toprovide a method of managing integrity defects of data written in arewritable memory of an electronic component, said electronic componentbeing suitable for performing operations capable of modifying at leastsome of said data and of interchanging information relating to saidoperations, either directly off-line with a terminal or on-line with anissuer via said terminal, which method makes it possible to distinguishbetween integrity defects due to faulty operation of the electronicmemory making the component and the electronic card irremediablyunusable and integrity defects associated with incidents that interferedwith the electrical power supply to the electronic component without thegeneral operation of the electronic memory card being involved.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flow-chart diagram illustrating a writing operation inaccordance with the invention.

FIG. 2 is a flow-chart diagram illustrating a reading operation inaccordance with the invention.

DETAILED DESCRIPTION OF THE INVENTION

According to the present invention, the solution to the technicalproblem posed consists in that said method consists in:

defining firstly “main” data in which an integrity defect isrepresentative of faulty operation of the rewritable memory, andsecondly “secondary” data in which an integrity defect is representativeeither of faulty operation of the rewritable memory, or else of aninterruption in the power supply to the electronic component;

on each operation, checking the integrity of at least some data;

if a check on the integrity of at least some of the main data reveals anintegrity defect, preventing any further operation; and

if an integrity check on secondary data reveals an integrity defect,allocating at least one default value to at least one item of secondarydata, thereby requiring an interchange to be performed on-line duringthe following operation.

Thus, when an integrity effect is detected involving any part of saidmain data it is necessarily deduced that the defect is due toirreversible faulty operation of the rewritable memory, e.g. due tomemory cell wear.

This integrity defect will be presented each time a user seeks toperform any operation, giving rise to the same consequence of saidoperation being refused again. The holder of the faulty electronicmemory card, perceiving that the card has become unusable, must thenrequest another card from the issuing organization.

In contrast, if the integrity defect appears in secondary data, doubtcan remain as to the origin of said defect. That is why, instead ofdefinitively banning operation, as is the case when an integrity defectconcerns main data, it is preferred to enable the memory card to operateagain during the following operation, the integrity defect observedduring the preceding operation was due merely to a power supply problemwithout the ability of the card to operate normally being implicated.However, if the origin of the integrity defect in secondary data is cellwear of the rewritable memory, or any other irremediable faultyoperation, then the step of giving the value by default which requireswriting in the memory cannot be performed, and as a result, on the nextoperation, there will be again an integrity defect in the secondarydata, and so on until the user understands that the card is not workingand informs the issuing organization of this anomaly to have a new cardissued.

For example, main data can be unchanging data relating to the identityof the issuer and/or of the holder of the card which includes theelectronic component and the rewritable memory. This data is written ina read-only memory of the component and is never modified duringsuccessive operations performed by the operator using the electronicmemory card. This data is thus insensitive to any fluctuation in theelectrical power supply to the card, and in particular it is insensitiveto the card being withdrawn from a terminal at the wrong time, and if anintegrity defect is observed in this data, that can only be because ofirreversible faulty operation of the electronic memory, which is why thedecision is taken to prevent any subsequent operation if this kind ofintegrity defect occurs.

Main data may also be comprised by variable data protected by a backupdevice against interruptions of the electrical power supply to theelectronic component. This is data which is modified on each operationand which is thus liable to be corrupted by a failure in the powersupply to the component, but which also benefits from a backup andrecovery system so that it is possible at all times to access the mostrecent validated value of the data subject to said system.

In electronic memory cards that can be used for performing debit/creditelectronic transactions, main data of this type is constituted, forexample, by the transaction counter which is incremented by 1 on eachoperation. This counter must under no circumstances be lost since thatwould give the proprietor of the card the possibility of denying certaintransactions. That is why it is protected by a backup device, such asthat described in French patent application No. 95/15186 in the name ofthe Applicants.

Under such circumstances, an integrity defect observed in the value ofthe transaction counter reveals faulty operation of the rewritablememory and not of the electrical power supply to the electroniccomponent, and as a result it gives rise to an absolute ban onperforming any further transactions.

The secondary data can be very diverse, and by way of example, mentioncan be made of the following:

an “on-line” flag constituted by a single bit (0 or 1) in a file. If theelectronic component decides to establish an on-line link with theissuer, e.g. if the amount of a transaction exceeds a given value, thenthe “on-line” flag is set to 1. Thereafter, it is verified that theon-line link has been properly established, and if so the flag is resetto 0. Thus, if on the following transaction the “on-line” flag is stillat 1, then the previous on-line transaction was not properly performed;

flags for authenticating the issuer and/or the electronic memory card.These are likewise 0 or 1 bits which normally take the value 0 ifauthentications have indeed been verified successfully, with the value 1revealing a problem of authentication;

copying the transaction counter after each on-line operation. Comparingthe values of the transaction counter and of its copy makes it possibleto take a decision whether an on-line operation should be performed. Toogreat a difference between these values indicates that the most recenton-line operation is old and thus that the next operation must beperformed on-line, specifically so as to be able to perform certainintegrity checks.

FIG. 1 illustrates the following procedure for writing any data in therewritable memory of the electronic component (EEPROM):

(1) writing the data (WRITE DATA) in the rewritable memory (EEPROM);

(2) verifying that the writing is correct (DATA=CORRECT?);

(3) if the writing is correct (Y):

(a) calculating a checksum, referred to as a “first” checksum (CHECKSUM1), on the basis of the value of the data written in the memory; and

(b) writing the checksum (WRITE CHECKSUM 1) in the rewritable memory(EEPROM); or

(4) if the writing is not correct (N), halting the current operation(HALT).

It will be understood that on each operation, calculating and writingthe first checksum for given data are performed only after the value ofthe data has been written in the rewritable memory and it has beenverified that it is correct. In this way, if an integrity defect occurswhile writing the data, be it main data or secondary data, and forwhatever reason, the current operation is cancelled. However, if thewritten data is correct, said first checksum corresponding to the datais calculated and written in turn in the rewritable memory. If anintegrity defect occurs when writing the first checksum, that will bedetected during the following operation since, in accordance with theinvention, provision is made in general manner for an integrity check toconsist at the beginning of an operation in calculating a secondchecksum for the data on the basis of the value of said data as presentin the rewritable electronic memory, and in comparing said secondchecksum with a first checksum as written in said memory during thepreceding operation.

FIG. 2 illustrates a reading of any data in the rewritable memory. Thereading takes place as follows:

(1) the data is read (READ DATA) in the memory (EEPROM);

(2) the second checksum (CHECKSUM 2) is calculated;

(3) the second checksum is compared with the first checksum as writtenin the memory during the preceding operation (COMPARE CHECKSUM 1,CHECKSUM 2);

(4) if a negative comparison (COMPARE=NEG) reveals an integrity faultconcerning main data, (DATA=MAIN), the operation is prevented fromcontinuing (HALT) since under such circumstances the reason for thecomparison being negative is faulty operation of the memory;

(5) if a negative comparison (COMPARE=NEG) reveals an integrity defectconcerning secondary data (DATA=SECONDARY), a default value is given tothe data (DATA=DEFAULT), with the default value requiring an on-lineinterchange during the following operation; and

(6) if the comparison is positive (COMPARE=POS), then the operation iscontinued (CONTINUE).

What is claimed is:
 1. A method of managing integrity defects concerningdata written in a rewritable memory of an electronic component, saidelectronic component being suitable for performing operations that arecapable of modifying at least some of said data and of interchanginginformation relating to said operations either off-line, directly with aterminal, or else on-line, with an issuer via said terminal; the methodbeing characterized in that it consists in: defining firstly “main” datain which an integrity defect is representative of faulty operation ofthe rewritable memory, and secondly “secondary” data in which anintegrity defect is representative either of faulty operation of therewritable memory, or else of an interruption in the power supply to theelectronic component; on each operation, checking the integrity of atleast some data; if a check on the integrity of at least some of themain data reveals an integrity defect, preventing any further operation;and if an integrity check on secondary data reveals an integrity defect,allocating at least one default value to at least one item of secondarydata, thereby requiring an interchange to be performed on-line duringthe following operation.
 2. A method according to claim 1, characterizedin that an integrity check consists, at the beginning of an operation,in calculating a second checksum relating to the data on the basis ofthe value of said data present in the rewritable electronic memory, andin comparing said second checksum with a first checksum written in saidmemory during the preceding operation.
 3. A method according to claim 2,characterized in that, on each operation, the first checksum concerningdata is calculated and written only after the value of the data has beenwritten in the rewritable memory, and it has been verified forcorrectness.
 4. A method according to claim 1, characterized in thatsaid main data comprises fixed data relating to the identity of theissuer and/or of the holder of the electronic component.
 5. A methodaccording to claim 1, characterized in that said main data comprisesvariable data protected by a backup device for providing protectionagainst interruptions in the power supply to the electronic component.